Skip to content

JSON Web Keys restricted by "use" parameter
Compare
Choose a tag to compare
@MicahParks MicahParks released this 15 Oct 01:50
v1.5.1
a939f14
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

The purpose of this PR is to restrict what keys are returned by the .Keyfunc method based on their JWK's "use" parameter's value.

Two new keyfunc.Options fields have been added:

  • JWKUseWhitelist
  • JWKUseNoWhitelist

The default behavior of this package has changed to enhance the security of this package. The new default behavior will return keyfunc.ErrJWKUseWhitelist if a JWT has been signed by a parsed JWK whose "use" parameter value is not "sig", the empty string "", or a JWK with no "use" parameter. If your use case involved a custom JWK "use" parameter value, you will need to specify your custom value(s) in the new JWKUseWhitelist field on the keyfunc.Options data structure.

The previous default behavior would not cause an error if a JWK's "use" parameter's value was "enc", which would be an improper JWK for signing a JWT. See https://tools.ietf.org/html/rfc7517#section-4.2

Thank you to our new contributor, @trevorlyman!

Relevant pull requests:

Relevant issues:

Contributors

trevorlyman
Assets 2
Loading